feat(general): Update range includes to handle lists of ranges and lists of values (#6192)

tsmithv11 · web-flow · commit cb825926fc38 · 2024-04-22T09:27:09.000-07:00
* Update range includes

* Add "not" tests and typing

* Fix book typing

* Fix test
diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py
@@ -1,4 +1,4 @@
-from typing import Optional, Any, Dict, List
+from typing import Optional, Any, Dict, List, Union
 from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver
 from checkov.common.graph.checks_infra.enums import Operators
 from checkov.common.util.type_forcers import force_int
@@ -8,16 +8,26 @@ class RangeIncludesAttributeSolver(BaseAttributeSolver):
     operator = Operators.RANGE_INCLUDES  # noqa: CCE003  # a static attribute
 
     def __init__(
-        self, resource_types: List[str], attribute: Optional[str], value: Any, is_jsonpath_check: bool = False
+            self, resource_types: List[str], attribute: Optional[str], value: Union[Any, List[Any]],
+            is_jsonpath_check: bool = False
     ) -> None:
-        super().__init__(resource_types, attribute, force_int(value), is_jsonpath_check)
+        # Convert value to a list if it's not already one to unify handling
+        value = [force_int(v) if isinstance(v, (str, int)) else v for v in
+                 (value if isinstance(value, list) else [value])]
+        super().__init__(resource_types, attribute, value, is_jsonpath_check)
 
     def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
         attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
 
         if attr is None:
             return False
 
+        if isinstance(attr, list):
+            return any(self._check_value(value, attr_val) for attr_val in attr for value in self.value)
+
+        return any(self._check_value(value, attr) for value in self.value)
+
+    def _check_value(self, value: Any, attr: Any) -> bool:
         # expects one of the following values:
         # - an actual int
         # - a string that parses to an int
@@ -28,11 +38,15 @@ def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bo
             return True
 
         if isinstance(attr, str) and attr.count("-") == 1:
-            try:
-                start, end = attr.split("-")
-                return True if force_int(start) <= self.value <= force_int(end) else False
-            except (TypeError, ValueError):
-                # Occurs if there are not two entries or if one is not an int, in which case we just give up
-                return False
-
-        return True if force_int(attr) == self.value else False
+            return self._check_range(value, attr)
+
+        return bool(force_int(attr) == value)
+
+    @staticmethod
+    def _check_range(value: Any, range_str: str) -> bool:
+        try:
+            start, end = range_str.split("-")
+            return bool(force_int(start) <= value <= force_int(end))
+        except (TypeError, ValueError):
+            # Occurs if there are not two entries or if one is not an int, in which case we just give up
+            return False
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/JsonPathRangeIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/JsonPathRangeIncludesList.yaml
@@ -0,0 +1,18 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "JsonPathRangeIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "jsonpath_range_includes"
+  value:
+    - "400"
+    - 3000
+    - 100
+    - "1"
+
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/RangeIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/RangeIncludesList.yaml
@@ -0,0 +1,18 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "RangeIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "range_includes"
+  value:
+    - 200
+    - 3000
+    - 400
+    - "500"
+
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf
@@ -22,6 +22,10 @@ resource "test" "pass6" {
   range = "2000-4000"
 }
 
+resource "test" "pass7" {
+  range = ["2100","2000-4000","3400"]
+}
+
 resource "test" "fail1" {
   range = 2000
 }
@@ -53,3 +57,7 @@ resource "test" "fail7" {
 resource "test" "fail8" {
   range = "1000-5000-6000"
 }
+
+resource "test" "fail9" {
+  range = ["1000","2000-2900"]
+}
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py
@@ -17,37 +17,59 @@ def setUp(self):
     def test_range_includes_int_solver(self):
         root_folder = 'resources'
         check_id = "RangeIncludesInt"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_includes_string_solver(self):
         root_folder = 'resources'
         check_id = "RangeIncludesString"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_includes_int_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeIncludesInt"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_includes_string_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeIncludesString"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_includes_list_solver(self):
+        root_folder = 'resources'
+        check_id = "RangeIncludesList"
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_includes_list_jsonpath_solver(self):
+        root_folder = 'resources'
+        check_id = "JsonPathRangeIncludesList"
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/JsonPathRangeNotIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/JsonPathRangeNotIncludesList.yaml
@@ -0,0 +1,16 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "JsonPathRangeNotIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "jsonpath_range_not_includes"
+  value:
+    - "3001"
+    - 3000
+    - 3002
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/RangeNotIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/RangeNotIncludesList.yaml
@@ -0,0 +1,16 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "RangeNotIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "range_not_includes"
+  value:
+    - "3000"
+    - 3001
+    - "3002"
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf
@@ -22,6 +22,10 @@ resource "test" "pass6" {
   range = "2000-4000"
 }
 
+resource "test" "pass7" {
+  range = ["2000-2500","3000"]
+}
+
 resource "test" "fail1" {
   range = 2000
 }
@@ -53,3 +57,7 @@ resource "test" "fail7" {
 resource "test" "fail8" {
   range = "1000-5000-6000"
 }
+
+resource "test" "fail9" {
+  range = ["1000-2900","3100-4000"]
+}
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py
@@ -17,38 +17,59 @@ def setUp(self):
     def test_range_not_includes_int_solver(self):
         root_folder = 'resources'
         check_id = "RangeNotIncludesInt"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_not_includes_string_solver(self):
         root_folder = 'resources'
         check_id = "RangeNotIncludesString"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_not_includes_int_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeNotIncludesInt"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
 
     def test_range_not_includes_string_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeNotIncludesString"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_not_includes_list_solver(self):
+        root_folder = 'resources'
+        check_id = "RangeNotIncludesList"
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_not_includes_list_jsonpath_solver(self):
+        root_folder = 'resources'
+        check_id = "JsonPathRangeNotIncludesList"
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ resource "test" "pass6" {`
`22`	`22`	`range = "2000-4000"`
`23`	`23`	`}`
`24`	`24`
	`25`	`+resource "test" "pass7" {`
	`26`	`+ range = ["2100","2000-4000","3400"]`
	`27`	`+}`
	`28`	`+`
`25`	`29`	`resource "test" "fail1" {`
`26`	`30`	`range = 2000`
`27`	`31`	`}`
`@@ -53,3 +57,7 @@ resource "test" "fail7" {`
`53`	`57`	`resource "test" "fail8" {`
`54`	`58`	`range = "1000-5000-6000"`
`55`	`59`	`}`
	`60`	`+`
	`61`	`+resource "test" "fail9" {`
	`62`	`+ range = ["1000","2000-2900"]`
	`63`	`+}`